WPAD Setup help [Solved]

chris4916

Not the ultimate way of solving the issue, what you could (should ?) do is to customize your proxy.pac file so that you do not rely on proxy when accessing local files, including pfSense GUI.

This is done adding "DIRECT" directive. Something like (copy from this link which contains interesting stuff)

function FindProxyForURL(url, host) {

// If the requested website is hosted within the internal network, send direct.
    if (isPlainHostName(host) ||
        shExpMatch(host, "*.local") ||
        isInNet(dnsResolve(host), "192.168.1.0",  "255.255.255.0"))
        return "DIRECT";

// DEFAULT RULE: All other traffic, use below proxies, in fail-over order.
    return "PROXY 192.168.1.1:3128";

}

Notice that proxy.pac can contains other directives. I suggest you have a look at this once it works  ;)

aGeekhere

Thanks, I will have a look at that to see if it works.

aGeekhere

updated first post, do not know what to try next.

chris4916

@aGeekHere:

updated first post, do not know what to try next.

Ouch  :o  meaning we have to read it again and guess how it differs from initial post, then for those discovering this thread, they may find answers meaningless if initial post changed significantly.
IMHO, this is more confusing than helpful except if you managed to heavily comment what was written before and how it changed.

aGeekhere

it was more of a clean up

chris4916

Reading your first post again:

1 - you could easily maintain one single file and create symlink
2 - I'm not sure you can push multiple "DHCP option 252" values  :(
3 - your proxy.pac file states:

• if there is no domain extension (no FQDN but host only)
• or if FQDN belongs to "local" domain (is it really your domain name ?)
• OR if IP I tray to reach belongs to my LAN
  then go DIRECT (without proxy)

Is it what you target?

4 - I don't understand

Can connect to the internet (local ips are inaccessible, filtering works)

???

5 - would you mind replacing "cannot connect to internet" with something clearer like the error message you receive?

chris4916

@aGeekHere:

it was more of a clean up

Sure, I did notice but if your read the whole thread again as if you were discovering it, posts after your initial post are totally meaningless isn't it?  ::)

chris4916

Let's try something basic:

Using Firefox (let's focus on on browser for the time being)

• using "automatic proxy detect for this network" option, it doesn't work (although error message would be more than welcome here)
• using manual proxy configuration (192.168.1.1 port 3128), it works and as there is no option for local IPs, these local servers can't be reached (still I don't understand why => this would mean that proxy can access or can't resolve such URL)
• using "Automatic proxy configuration URL" option: this is not clear to me whether it works or not.

I also have the feeling that there is something unclear with your DNS: I'm very confused with error/warning message about DNS forwarder and port 80  ??? ???

aGeekhere

Hi all, I have time again to try and get the wpad working.

I think I am starting to get my head around this.

This is where i am at
pfsense is using the wpad files but with issues.

with this wpad example the issue is local address are blocked

function FindProxyForURL(url,host)
 {
 return "PROXY 192.168.1.1:3128";
 }

to solve this we use this to allow local addressed

function FindProxyForURL(url, host) {
    if (isPlainHostName(host) ||
        shExpMatch(host, "*.local") ||
        isInNet(dnsResolve(host), "192.168.1.0",  "255.255.255.0"))
        return "DIRECT";

    return "PROXY 192.168.1.1:3128";
}

With this

• sites in the squardguard blacklist are blocked with the squidguard error message (this is good)
• navigating to normal sites have major issue, some only half load, some do not load at all.

Getting very close to solving this, i think it could be the wpad code.

Anyone have any ideas?

chris4916

Like with my previous reply, I think it deserves clearer message: what does "with this wpad example the issue is local address are blocked" mean?
Is it "blocked" because not found, time-out, not authorized by proxy?

What you are describing shows that your WPAD set-up is working as expected:

• without any specific rule, everything goes thorough proxy, including internal targets but internal servers can't be reached via proxy (this I don't know yet why)
• if you set-up proxy.pac to do direct for internal servers, you can reach it.

Thus issue is definitely not with WPAD, IMHO  8)

aGeekhere

Hi chris4916 I will try to be more clear with the current issue I have.

The wpad (goal is to allow local sites to bypass the proxy but make all external sites to go through the proxy)

function FindProxyForURL(url, host) {
    if (isPlainHostName(host) ||
        shExpMatch(host, "*.local") ||
        isInNet(dnsResolve(host), "192.168.1.0",  "255.255.255.0"))
        return "DIRECT";

    return "PROXY 192.168.1.1:3128";
}

Current status
pfsense is now passing the wpad onto the browsers (chrome and ie for now through the DNS forwarder).

http://www.lagado.com/proxy-test shows that the browsers are connected through a proxy (good)

sites in the squidguard blocklist are being blocked for both http and https connections (good)

Current issue
Normal websites (sites which are not blocked form squidguard) are not loading correctly (Images are missing, layout is not fully loaded and some sites do not load at all).

"with this wpad example the issue is local address are blocked" mean?
I was just outlining that if you use that example wpad from https://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid that local addresses are blocked and by blocked i mean I get a proxy error (can't remember what the error was).

What you are describing shows that your WPAD set-up is working as expected
That is correct the WPAD is now working (however now have another issue with webpages not loading correctly)

if you set-up proxy.pac to do direct for internal servers, you can reach it.
I can reach them now by using the following wpad

function FindProxyForURL(url, host) {
    if (isPlainHostName(host) ||
        shExpMatch(host, "*.local") ||
        isInNet(dnsResolve(host), "192.168.1.0",  "255.255.255.0"))
        return "DIRECT";

    return "PROXY 192.168.1.1:3128";
}

Let me know if I need to expand on anything

chris4916

That's clearer (I hope  :))

So your current issue has nothing to do with WPAD but with proxy (Squid) that is not loading pages as expected (or Squidguard blocking some parts of these pages)
Did you look at squid log content already?

Keep in mind that quite often web pages as you see it through your browser are built from different sources.
I would suggest that you perform some tests without any Squidguard rules or even Squid ACL, just to ensure that from HTTP standpoint, everything is OK btween your browser and external web servers, then introduce Squid ACL if needed and Squidguard rules so that you can, perhaps, determine, what's wrong here.

aGeekhere

I have updated the first post, I now use the strikethrough to show old settings. Very strange issue this is now, squidguard is not showing any blocked items for non blocked sites and even if I turn it off or allow all to squidguard I get the same issue (sites not loading correctly, missing content, not loading at all AND very very slow webpage loading times).

Stuck atm (I wounder if it is squid3 that is the issue);

Any ideas on what I should try next?

chris4916

@aGeekHere:

I have updated the first post, I now use the strikethrough to show old settings.

From personal viewpoint, this is not something I use to do because it makes next posts most of the time out of context.

Very strange issue this is now, squidguard is not showing any blocked items for non blocked sites and even if I turn it off or allow all to squidguard I get the same issue (sites not loading correctly, missing content, not loading at all AND very very slow webpage loading times).

Stuck atm (I wounder if it is squid3 that is the issue);

I'm not using Squid on pfSense but reading various threads here and there, it looks like there is a significant amount of problems with Squid on pfSense 2.x
At least, you have clarified that Squidguard is not the issue here, neither WPAD  ;)
Now you could perhaps focus on Squid logs…

aGeekhere

reinstalled squid gui components, cleared the cache (one the user computers and squids cache), and now it works :)

Will test it for a few days to see how i go.

;D

[Update]
If i have no issues with it i will write up a how to

aGeekhere

I just want to update something here.
if you are having issues with webpages only half loading (which is what I had), then you must first delete your squid cache then it should fix that issue.

KOM

if you are having issues with webpages only half loading

This can also by symptomatic of an IP6/IP4 preference issue with dual-stack sites.

aGeekhere

Hi all,

I found an issue where some programs have an issue with the global "automatically detect settings" option (some programs with this issue do not even have a proxy setting setup page) and still want to go through port 80 (I think this could also be what is causing downthemall to only connect to 1 segment because when I open port 80 I can connect to more segments).

So sometimes I have to reopen port 80 to let the traffic through temporary.

I read somewhere that a NAT rule could be created to catch any leftover traffic going to port 80 and redirect it to port 3128.

Tired playing around with a NAT rule
LAN - TCP - LAN address - 80 - WAN address - 80 - 192.168.1.1 - 3128
And in rules i put it at the top.

However the traffic is not redirected.
Tested with a troubled program using

• no proxy
• automatically detect settings
• And even setting the proxy setting with the port set to 80

Any thoughts on this?

User43617

@aGeekHere:

2. Disable DNS Resolver Updated needs to be on

3.Configure DNS Service
add new Host Overrides

Host: wpad
Domain: mylocaldomain.local
IP Address: 192.168.1.1
Description: WPAD Autoconfigure Host

save
Updated change Listen Port to 3128
Enable DNS forwarder
save

Quick question, for clarification on the above quote, please:
I currently have DNS Resolver off and DNS forwarder on with the above Host Override configured on the DNS Forwarder.

Which one did you apply the Host Override configuration?

Which one did you change to listen on port 3128 (same as Squid3, unless you changed that.  I don't think you did, based on your proxy.pac code).

I add the Firewall rules for blocking HTTP and HTTPS and I can't load internet pages.  I can still get to local servers.  Nothing's being filtered by Squidguard.  Or, at least, it's not showing up in the logs.  Wondering if that's my problem now.

aGeekhere

It is the DNS forwarder that needs the Host Override configuration.